Host Scanner Changelog
This is the list of version numbers of the Cryptosense Host Scanner. Each version number is shown with a list of changes brought by that version.
0.9.9 - 2023-05-15
Changed
- [General]
--password
argument does not appear by default in trace arguments. Use--allow-secrets-in-trace
to write it again in the trace.
Added
- [General] Add
--tag
argument to host-scanner. Can be specified multiple times. The provided tags are written in the trace header. - [General] Add
--allow-secrets-in-trace
argument to host-scanner. This argument will allow--password
argument to be written in trace. - [General] Add
--max-files-per-second
argument to host-scanner. This argument sets a limit on the number of files scanned per second. 0 is considered as no limit and is the default value." - [General] Add
--work-load
argument to host-scanner. This argument sets a limit, as a percentage, on the CPU load of the Host Scanner during its execution. Default value is 100% (no limit). - [General] Add
--exclude
argument to host-scanner. Can be specified multiple times. The provided files or directories are not scanned. - [zip] Add
zip
module and basic parsing of zip files.
0.9.7 - 2023-01-04
Changed
- [PKCS#12] Remove unnecessary warnings about PKCS#12 parsing.
- [Certificates] Add missing algorithm identifier for
md2withrsa
signature. - [General] Add alternative algorithm identifier for DSA keys.
- [General] Improve reporting of unknown algorithm identifiers.
Added
- [PPK] Detect PPK files (used by Putty) and extract their content.
- [PKCS#7] Detect PKCS#7 files and extract their content.
- [SSH] Add the parsing of the public keys coming from SSH certificates.
0.9.6 - 2022-09-15
Changed
- [PEM] Extract all certificates from concatenated PEM files.
Added
- [General] Added the
--password
option to try the decryption of PBE encrypted informations. - [PKCS#12] Extract content of
Data
items. - [PKCS#12] Extract content of
EncryptedData
items if--password
is provided and decryption succeeds.- Support of
PBES2
encryption withpbkdf2
as KDF,AES-(128/192/256)-(ECB/CBC)
and3DES-CBC
as encryption schemes. - Other algorithms are not decrypted but the algorithm names are exported for analysis.
- Support of
0.9.5 - 2022-06-28
Changed
- Deprecate the
--include-keys
option. Keys are now included by default. - Detect PEM blocks preceded by some plain text, up to 32 kiB after the beginning of the file. Previously PEM content was only detected at the beginning of a file.
Added
- Detect JCEKS keystores and extract their content, if unencrypted.
- Add support for Windows.
Fixed
- Fix crash on certificates containing invalid UTF-8 strings inside distinguished names.
- Fix crash on some malformed PGP keys.
- Increase robustness of scanner against parsing bugs by making it recover and continue scanning.
- Fix a situation where some combinations of command-line options caused the same parser modules to be applied to files more than once.
- Ensure correct JSON encoding of the trace header (e.g. correct escaping of
\
characters in Windows file paths). - Fix crash on keystore private key entries with empty certificate chains.
- Fix failure to detect PEM files with Windows CRLF line endings.
- Fix crash on some special files where true and reported file lengths differ (e.g. in
/sys
).
0.9.4 - 2022-04-08
Changed
- Change the
--max-file-size
option to interpret0
as "no size limit". Any strictly positive value is interpreted the same way as before (file cutoff in bytes).
Fixed
- Improve encoding of certificate serial numbers so that such certificates have a better chance of being correctly matched with certificates coming from other sources such as the Java Tracer.
- Improve performance of scanning:
- Improve detection of ASN.1 files to reduce memory usage and time spent in scans.
- Exclude CPIO and system map files from scan.
0.9.3 - 2022-03-02
Added
- Add option
--max-file-size
to change the size limit for scanned files. The default value is 1 MB.
Changed
- Limit the amount of data read from any single file to 1 MB by default. This avoids performance issues when large files are mistaken for ASN.1 files.
Fixed
- Prevent the host scanner from missing some files when
/sys
is in the scope of the scan, even if those files are outside of/sys
.
0.9.2 - 2022-02-01
Added
- Add initial support for PKCS#12 keystores
Changed
- Fix host name for Docker image scans: it now reports the image name.
0.9.1 - 2021-10-29
Fixed
- Fix container image file locations to not contain the temporary prefix used for scanning
(e.g.
/etc/ssl/cert.pem
instead of/tmp/tmp_name/etc/ssl/cert.pem
).
0.9.0 - 2021-10-13
Added
- Add initial support for PGP keys.
0.8.0 - 2021-08-04
Fixed
- Catch and handle "end of file" errors coming from the Java static scanner if it is used in combination with the host scanner.
0.7.1 - 2021-07-29
Added
- Add on-the-fly gzip compression of scans.
Fixed
- Fix stack overflow when scanning files with a large number of line breaks.
- Improve error message when the host scanner is used in combination with the Java static scanner.
Changed
- Rename CLI option
--static_scanner_path
to--static-scanner-path
- Rename CLI option
--image_name
to--image-name
0.7.0 - 2021-07-09
Added
- Add Docker image scanning.
0.6.0 - 2021-06-11
Added
- Add support for EC and DSA private keys and certificates.
- Add support for DER encoding.
- Include encoded certificates in the scan file.
0.5.0 - 2021-04-16
Added
- Add hard-coded strings parsing of JAR files.
0.4.0 - 2021-02-10
Added
- Add parsing of JKS keystores.
0.3.0 - 2020-04-27
Added
- Add a progress bar showing the number of files scanned.
Changed
- Change log level of "Unknown OID" message from warning to debug.
Fixed
- Improve performance on large directory trees: less RAM usage, less computing and fewer syscalls.
- Fix file being counted twice, and potential infinite loop, by not following symbolic links.
- Fix freeze on files without an end, such as some special files in
/sys/kernel
.
0.2.0 - 2020-04-16
Changed
- Make host scanner a lot less verbose by default.
Fixed
- Fix stack overflow when scanning large directories.
Added
- Add
--verbose
and--quiet
options to control the verbosity.
0.1.0 - 2020-04-07
Initial release.